With this vulnerability, an attacker with physical access to the computer (USB port) can take control of Intel Management Engine (IntelME), and the whole computer.

What are the attack vectors? (Physical access to the computer required?)

What computer (and configuration) are affected?

How to protect and/or mitigate such attacks?

This attack seems to specifically target Intel CSME (IntelME/AMT). The same security researchers disclosed a similar vulnerability targeting the main CPU/firmware in April 2017 (but this setting as disabled in the UEFI/BIOS firmware by default)

2 Answers
2

The attack works by exploiting the USG JTAG debug feature found in some PCs.

Years ago, if a computer manufacturer was debugging their motherboard design, there would be a special port on the motherboard called a JTAG port to poke around registers in the processor/chipset. https://en.wikipedia.org/wiki/JTAG

On modern motherboards, there is often no room for a JTAG port. And in the case of something like a laptop, it may not be feasible to get to the JTAG port. So, Intel developed a way to access JTAG via one of the USB ports.

In the BIOS settings for a PC, there would typically be an option to enable USB debugging, and this option should be disabled by default in any production systems shipped to customers. However, there are some computer manufacturers that have not followed best practices:

They turned debug on by default during HW/BIOS development and forgot to turn it off.

They hard-coded the state of USB debug in the BIOS to enabled, and did not provide and option to disable it.

If you have access to the USB debug/JTAG function, you have “better than root” access to the system. It is intended for the hardware and firmware designer to troubleshoot low-level system issues. The exploit is really about JTAG, not Management Engine. If an attacker can get to the JTAG port, they own your computer, period. Intel Management Engine is just something they can exploit while they have control.

One of the fundamental laws of computer security is that if a bad guy has unrestricted physical access to your computer, it isn’t your computer anymore. JTAG is an example of that rule.
https://msdn.microsoft.com/en-us/hh278941.aspx

So what do you do to stop this?

Don’t let a bad guy have physical access to your computer. If you suspect this has happened, stop using your computer immediately and get a new one.

Check with your manufacturer for a BIOS update.

Disable USB debug in the BIOS if you can.

If you do not have an option to disable it, contact the manufacturer of the computer/motherboard to see if they have it enabled. If they do, you have to wait for them to provide and update, or replace the computer.

@FranklinPiat Yes but exploiting the ME once you have JTAG Access isn’t much of a shock. Once you’re on the other side of the airtight hatchway you already own the system completely. You own more of the system than the OS does. Accessing the ME is just the bacon bits on the exploit salad at that point.
– myron-semackNov 12 '17 at 21:06

Actually the main CPU is not supposed to grant JTAG access to the ME. The problem seems to be that the P2SB bridge is normally hidden but can be made unhidden (by root?), and this allows DCI to access the ME somehow.
– forestNov 29 '17 at 21:12

Well this is still breaking news to many of us though the issues of Intel's Management Engine have been raised for years & there have been previous problems with it. So this answer may need updating as more information becomes available.

What are the attack vectors ? (physical access to the computer required ?)

In this particular case, yes - physical access is required. However, you should note that one of the purposes of the ME is to allow remote access. It contains a full network stack and even a web server.

What computer (and configuration) are affected ?

Anything with an Intel processor going back quite a few years. Originally, the ME was built into the North Bridge and later integrated to the processor (ref)

Broadwell, Skylake, and newer are affected. Systems older than that do not support DCI (the protocol for accessing JTAG over USB). While these systems do have an ME, it is not accessible over USB

How to protect and/or mitigate such attacks ?

Burn the tracks for the USB off the motherboard! But bear in mind, that only stops this issue not others that may later be found. Don't forget that there are other, actually probably much easier, attacks possible via USB. For high-security use, USB needs to be turned off or give additional protection.

You may be fortunate enough to have a motherboard with a BIOS that lets you turn off AMT. Also, the Wikipedia article referenced above mentions some mitigations for Windows.

Even if AMT is turned off, e.g. in a BIOS setting, DCI over USB can still hijack the ME on vulnerable systems.

Using AMD chips and motherboards may also help though I have no actual evidence for that. Certainly Intel have always been very close-lipped about AMT so I am guessing that AMD chipsets don't have it - it is possible they have their own solution though.

An anonymous user suggested in an edit that AMD systems have something similar, called the AMD PSP, but they did not think it can be accessed over USB.